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DETAILED ACTION 

1 . This is in response to the arguments filed on 27 April 2006. 

2. Claims 1-22 are pending in the application. 

3. Claims 1-22 have been rejected. 

Response to Arguments 

4. Applicant's arguments filed 27 April 2006 have been fully considered but they are not 
persuasive. 

On page 2, the applicant argues that Munger does not disclose the operation of a 
traceback program to receive the parameters as claimed. The applicant argues that there is no 
disclosure or teaching that the subprocess in anyway receives the IP addresses v and r of the 
victim machine and a router immediately upstream of the victim machine. 

The examiner respectfully disagrees. Munger discloses obtaining the IP address of a 
router and the victim machines. 

On page 3, the applicant argues that Munger does not disclose the determination of a set 
of routers that are neighbors (n) of router r. 

The examiner respectfully disagrees. Munger discloses determining all the neighboring 
routers so prevent attack on all neighboring devices. 

On page 5, the applicant argues that Munger does not disclose the recited continuation of 
the traceback through interconnected routers. 

The examiner respectfully disagrees. Munger continuously sends out a signal to detect 
attacks on network devices. 
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Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

5. Claims 1, 2, 5, 9, 10, 12, 16-19 and 21 are rejected under 35 U.S.C, 102(e) as being 
anticipated by Munger et al U.S. Patent No. 6,502,135 Bl. 

As to claim 1, Munger et al discloses a method for tracing a denial-of-service attack on a 
victim machine back towards its source, comprising steps of: 

operating a traceback program on at least one path to receive two input 
parameters, (a) an IP address (v) of the victim machine and (b) an IP address (r) 
of a router that is immediately upstream of the victim machine [column 1 1 line 44 
to column 12 line 25]; 

determining a set of routers that are neighbors (n) of r [column 16, lines 

16-55]; 

for each neighbor n of r, determining if r is n's next-hop for traffic 
addressed to v, or to a network that v is on, where node n's next-hop for traffic 
addressed to v is the IP address of the node that n will forward a packet to if the 
destination address in the packet is v [column 16 line 56 to column 18 line 28]. 

if r is not n's next-hop for traffic addressed to v, skip over n and query the 
next neighbor of r, while if r is n's next-hop for traffic addressed to v, determining 



Application/Control Number: 09/65 1 ,6 1 9 Page 4 

Art Unit: 2131 

an amount of traffic that n is forwarding to r that is addressed to v [column 16 line 
56 to column 18 line 28]. 

after determining the identity of the neighbor n of r that is the principal 
source of packets flowing to r that are addressed to v, continuing one node further 
upstream from the determined neighbor n of r that is the principal source of 
packets flowing to r that are addressed to v, and continuing to traceback through 
interconnected routers until a source of denial-of-service attack packets to v is 
determined or until further traceback is not possible [column 16 line 56 to column 
18 line 28]. 

As to claims 2 and 10, Munger et al discloses that the step of determining the set of 
neighbors comprises a step of sending at least one query to r to obtain information from a MIB 
that stores IP addresses of routers that are neighbors of r [column 16 line 56 to column 18 line 
28]. 

As to claims 5 and 12, Munger et al discloses that the step of determining an amount of 
traffic comprises a step of sending at least one message to a neighbor router n for determining a 
count of packets that router n is sending to router r that are addressed to v or to a network on 
which v resides [column 16 line 56 to column 18 line 28]. 

As to claim 9, Munger et al discloses a backtracking unit for tracing a denial-of-service- 
attack on a victim machine back towards its source, comprising a computer-readable media for 
receiving a first input parameter of an IP address (v) of the victim machine and a second input 
parameter of an IP address (r) of a router that is immediately upstream of the victim machine 
[column 1 1 line 44 to column 12 line 25], the trackback computer program controlling operation 
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of the data processor to determine a set of routers that are neighbors (n) of r [column 16 line 56 
to column 18 line 28], for each neighbor n of r, determining if r is n's next-hop for traffic 
addressed to v, where node n's next-hop for traffic addressed to v is the IP address of the node 
that n will forward a packet to if the destination address in the packet is v, the traceback 
computer program further controlling operation of the data processor for the case where r is not 
n's next-hop for traffic addressed to v, to skip over n and to query the next neighbor of r, while 
for the case where r is n's next-hop for traffic addressed to v, to determine an amount of traffic 
that n is forwarding to r that is addressed to v [column 16 line 56 to column 18 line 28], and after 
determining the identity of the neighbor n of r that is the principal source of packets flowing to r 
that are addressed to v or to a network to which v is connected, for continuing one node further 
upstream from the determined neighbor n of r that is the principal source of packets flowing to r 
that are addressed to v to continue to traceback through interconnected routers until a source of 
denial-of-service attack packets to v is determined or until further traceback is not possible 
[column 16 line 56 to column 18 line 28], 

As to claim 16, Munger et al discloses a method for determining an identity of a source of 
undesirable packets received from a data communications network, comprising steps of: 

operating a traceback program on at least one path to receive two input 

parameters, (a) an IP address (v) of the victim machine and (b) an IP address (r) 

of a router that is immediately upstream of the victim machine [column 1 1 line 44 

to column 12 line 25]; 

determining a set of routers that are neighbors (n) of r [column 16 line 56 

to column 18 line 28]; 
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for each neighbor n of r, determining if r is n's next-hop for traffic 
addressed to v, or to a network that v is on, where node n's next-hop for traffic 
addressed to v is the IP address of the node that n will forward a packet to if the 
destination address in the packet is v [column 16 line 56 to column 18 line 28]. 

if r is not n's next-hop for traffic addressed to v, skip over n and query the 
next neighbor of r, while if r is n's next-hop for traffic addressed to v, determining 
an amount of traffic that n is forwarding to r that is addressed to v [column 1 6 line 
56 to column 18 line 28]. 

after determining the identity of the neighbor n of r that is the principal 
source of packets flowing to r that are addressed to v, continuing one node further 
upstream from the determined neighbor n of r that is the principal source of 
packets flowing to r that are addressed to v, and continuing to traceback through 
interconnected routers until a source of denial-of-service attack packets to v is 
determined or until further traceback is not possible [column 16 line 56 to column 
18 line 28]. 

As to claim 17, Munger et al discloses that the steps of determining and querying each 
comprise a step of sending queries to the data communications network [column 25, lines 4-22]. 

As to claim 18, Munger et al discloses that the step of querying comprises steps of: 
sending a first network message to a packet router for instructing the packet router to determine a 
number of packets that it is sending addressed to v [column 25, lines 4-22]. Munger et al 
discloses sending a second network message to the packet router to query the packet router for 
the determined number [column 25, lines 4-22], 
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As to claim 19, Munger et al discloses that the step of querying comprises a step of 
sending at least one message to a packet router for determining a number of packets being 
forwarded to or towards v [column 25, lines 4-22]. 

As to claim 21, Munger et al discloses that the step of operating the traceback function 
operates the traceback function on a plurality of selected paths. Munger et al discloses that a 
particular path is selected based at least on an amount of traffic flowing through the path 
traceback tlirough interconnected routers until a source of denial-of-service attack packets to v is 
determined, or until further traceback is not possible [column 25, lines 23-39]. 

Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

6. Claims 3, 4 and 11 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

Munger ct al U.S. Patent No. 6,502,135 Bl as applied to claims 1 and 9 above, and further 

in view of Li et al U.S. Patent No. 6,535,507 Bl. 

As to claims 3, 4 and 1 1, Munger et al does not teach that the step of determining if r is 
n's next-hop for traffic addressed to v comprises a step of sending at least one query to router n. 
Munger et al does not teach that the step of sending at least one query queries an IP Forwarding 
Table MIB of router n. 
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Li et al teaches determining if r is n's next-hop for traffic addressed to v comprises a step 
of sending at least one query. Li et al teaches sending at least one query queries an IP 
Forwarding Table [column 6, lines 46-54]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Munger et al so that if it was determined that if r 
was n's next-hop for traffic addressed to v then a query would have been sent to router n. The 
query would have been an IP Forwarding Table of router n. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Munger et al, as described above, by the teaching of Li et 
al because it provides automated maintenance of translation tables which may be tailored to meet 
the operating policy of network managers that control respective domains [abstract]. 
7. Claims 6 and 13 are rejected under 35 U.S.C. 103(a) as being unpatentable over Munger 
et al U.S. Patent No. 6,502,135 Bl as applied to claims 1 and 9 above, and further in view of 
Bhaskaran U.S. Patent No. 5,963,540. 

As to claims 6 and 13, Munger et al does not teach a step of establishing a black hole host 
route to v as close as is possible to the source of the denial-of-service attack packets. 

Bhaskaran teaches establishing a black hole host route to v as close as is possible to the 
source of the attack [column 1, lines 53-67]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Munger et al so that there would have been a 
black hole host route as close as possible to the source of the attack. 
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It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Munger et al, as described above, by the teaching of 
Bhaskaran because it helps reduce the amount of denial of service attack packets in the network 
[column 1, lines 25-39]. 

8. Claims 7 and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable over Munger 
et al U.S. Patent No. 6,502,135 Bl as applied to claims 1 and 9 above, and further in view of 
Hughes U.S. Patent No. 6,636,509 Bl. 

As to claims 7 and 14 ? Munger et al does not teach a step of establishing a special host 
route to v using the same next hop as an existing route. Munger et al does not teach that the 
special host route tracking changes in the existing route such that when a next hop for the 
existing route changes, the next hop for the host route changes similarly. 

Hughes teaches establishing a special host route to v using the same next hop as an 
existing route. Munger et al does not teach that the special host route tracks changes in the 
existing route such that when a next hop for the existing route changes, the next hop for the host 
route changes similarly [column 6, lines 1 1-67]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Munger et al so that there would have been a 
special route using the same next hop as an existing route. The special host route would have 
tracked changes in the existing routes so that when a next hop for the exiting route changed, the 
next hop for the host route would have changed similarly. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Munger et al, as described above, by the teaching of 
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Hughes because by using special routes it reduces the amount of hops in the routing table 
[column 3, lines 6-29] 

9. Claims 8 and 15 are rejected under 35 U.S.C. 103(a) as being unpatentable over Munger 
et al U.S. Patent No. 6,502,135 Bl as applied to claims 1 and 9 above, and further in view of 
Packer U.S. Patent No. 6,298,041 Bl. 

As to claims 8 and 15, Munger et al does not teach a step of establishing a rate limit for 
packets addressed to v as close as is possible to the source of the denial-of-service attack packets. 

Packer teaches establishing a rate limit for packets addressed [column 4 line 50 to column 
5 line 7]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Munger et al so that there would have been a rate 
limit for packets addressed to v as close as is possible to the source of the denial-of-service 
attack packets. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Munger et al, as described above, by the teaching of 
Packer because rate control is introduced into a level of a packet communication environment at 
which there is a lack of data rate supervision to control assignment of available bandwidth from 
a single logical link to network flows [column 3, lines 22-32]. 
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10. Claim 20 is rejected under 35 U.S.C. 103(a) as being unpatentable over Munger et al 
U.S. Patent No. 6,502,135 Bl as applied to claim 16 above, and further in view of Bare U.S. 
Patent No. 6,456,597 81. 

As to claim 20, Munger et al does not teach establishing at least one of a black hole host 
route to v as close as is possible to the source of the undesirable packets. Munger et al does not 
teach establishing a special host route to v using the same next hop as an existing route, the 
special host route tracking changes in the existing route such that when a next hop for the 
existing route changes, the next hop for the host route changes similarly. Munger et al does not 
teach establishing a rate-limit for packets addressed to v as close as is possible to the source of 
the denial-of-service attack packets. 

Bare teaches establishing at least one of a black hole host route to v as close as is possible 
to the source of the undesirable packets [column 41 line 66 to column 42 line 45. Bare teaches 
establishing a special host route to v using the same next hop as an existing route, the special 
host route tracking changes in the existing route such that when a next hop for the existing route 
changes, the next hop for the host route changes similarly [column 38 line 33 to column 39 line 
13]. Bare teaches establishing a rate-limit for packets addressed to v as close as is possible to the 
source of the denial-of-service attack packets [column 77, lines 51-60], 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Munger et al, as described above, so that a black 
hole host route would have been established as close as is possible to the source of the 
undesirable packets. A special host route using the same next hop as an existing route would 
have been established, the special host route tracking changes in the existing route such that 
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when a next hop for the existing route changes, the next hop for the host route changes similarly. 
There would have been a rate-limit for packets addressed to v as close as is possible to the source 
of the denial-of-service attack packets. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Munger et al by the teaching of Packer because using any 
of the above methods, you reroute any undesired packets away from the network. 
11. Claim 22 is rejected under 35 U.S.C. 103(a) as being unpatentable over Munger et al 
U.S. Patent No. 6,502,135 Bl in view of Bhaskaran U.S. Patent No. 5,963,540, 

As to claim 22, Munger et al discloses a method for tracing a denial-of-service attack on 
a victim machine back towards its source, comprising steps of: 

operating a traceback program on at least one path to receive two input 
parameters, (a) an IP address (v) of the victim machine and (b) an IP address (r) 
of a router that is immediately upstream of the victim machine [column 13, lines 
30-43]; 

determining a set of routers that are neighbors (n) of r [column 16 line 66 
to column 17 line 31]; 

for each neighbor n of r, determining if r is n's next-hop for traffic 
addressed to v, or to a network that v is on, where node n's next-hop for traffic 
addressed to v is the IP address of the node that n will forward a packet to if the 
destination address in the packet is v [column 17, lines 32-51]; 

if r is not n's next-hop for traffic addressed to v, skip over n and query the 
next neighbor of r, while if r is n's next-hop for traffic addressed to v, determining 
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an amount of traffic that n is forwarding to r that is addressed to v by sending at 
least one message to a neighbor router n for determining a count of packets that 
router n is sending to router r that are addressed to v or to a network on which v 
resides [column 17, lines 32-51]; 

after determining the identity of the neighbor n of r that is the principal 
source of packets flowing to r that are addressed to v, continuing one node further 
upstream from the determined neighbor n of r that is the principal source of 
packets flowing to r that are addressed to v, and continuing to traceback through 
interconnected routers until a source of denial-of-service attack packets to v is 
determined or until further traceback is not possible [column 17, lines 52-67]; and 
Munger et al does not teach a step of establishing a black hole host route to v as close as 
is possible to the source of the denial-of-service attack packets. 

Bhaskaran teaches establishing a black hole host route to v as close as is possible to the 
source of the attack [column 1, lines 53-67], 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Munger et al so that there would have been a 
black hole host route as close as possible to the source of the attack. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Munger et al, as described above, by the teaching of 
Bhaskaran because it helps reduce the amount of denial of service attack packets in the network 
[column 1, lines 25-39]. 
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Conclusion 

12. THIS ACTION IS MADE FINAL, Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Aravind K Moorthy 
July 23, 2006 





